As usual, thanks for the quick responses.
It seems that the retirement of the accounts is a requirement of
C2 security, and that Compaq was only making their version of it
compliant. The idea is to prevent the reuse of uid's, which
could result is files assigned to the new user that shouldn't be.
The manual way of doing it is to edit the /etc/passwd file with
the vipw command to remove the account and then use the command
/usr/tcb/bin/convuser -d userid
to reconcile the tcb auth.db database.
While this will accomplish the task, it does little for batch
processing.
Fortunately, its a simple enough matter to edit the /etc/passwd
file with sed, rebuild the /etc/passwd.pag and /etc/passwd.dir
files with "/usr/sbin/mkpasswd -v /etc/passwd", and then run
convuser -d. I've updated our delete user script to do just
this, and it now works as before!
OTHER COMMENTS
I consider the fix by compaq to be a good thing for standards,
but it would really be nifty if they'd update the man pages
(the edauth page still talks about /tcb/files/auth/r/root
type files) and make a bit more noise about it in the release
notes. Let's face it, many people never even bother to
read the release notes, and a single sentence about it is
just too little for such something that could have a major
inpact on a system security if left unchecked. And, the man
pages still say "remove", not retire.
A suggestion was made by Tom Webster of Boeing that Digital Unix
offer three levels of security: BASE, BASEPLUS, and ENHANCED,
with BASEPLUS providing a subset of C2 with less restrictive
(I'd like to think more 'education institution oriented' :) )
security. This would sure be handy.
Thanks to:
Tom Webster <webster_at_ssdpdc.lgb.cal.boeing.com>
Eric Mermelstein <emermels_at_doas.state.ga.us>
Jeff Borah <jeff_at_snyfarvg.cc.farmingdale.edu>
Steve Copeland <Steve.Copeland_at_Enersis.co.nz>
Alan Davis <Alan.Davis_at_digital.com>
John Speno <speno_at_isc.upenn.edu>
ray
--
Ray Lauff : ray_at_thunder.ocis.temple.edu : (215) 204-5678 : Temple University
Received on Thu Sep 03 1998 - 02:18:08 NZST